Wednesday, 28 March 2012

Operation Shady RAT and China on Cyber attacks

Companies are just beginning to recognize the mounting cyber-based threats to their intellectual property

Night Dragon. Operation Aurora. Operation Shady RAT. In the past several years, internet security company McAfee and various media groups have pinned a series of high-profile hacker attacks with names worthy of spy novels on China-based groups.

Yet the attacks differed from the classic spy account in one notable respect: They were directed mainly at commercial, rather than government, secrets. Operation Aurora comprised the well-publicized attacks on Google and two dozen other companies, while Shady RAT included intrusions into more than 70 companies, governments and non-profit organizations. Night Dragon was a series of attacks on global oil, energy and petrochemical companies that sought out exploration details and financial data.

These high-profile attacks were just a tiny sampling of the espionage that companies face each year. The losses companies experience from these attacks are impossible to quantify, said Adam Segal, the Ira A Lipman senior fellow at the Council on Foreign Relations. "To be quite honest, the metrics are all completely broken. You can find numbers that will tell you what they think the value of the property stolen is … [but] the estimates are orders of magnitude different from each other."

Many in the industry suggest that cyber attacks are common - companies just do not have the systems in place to detect them. Dmitri Alperovitch, the vice president of threat research at McAfee, has described the current rash of cyber hackings as "a historically unprecedented transfer of wealth," in which national secrets, source codes, legal contracts and much more have "fallen off the truck" of numerous, mostly Western companies.

Yet with purchases of insurance and protection systems on the rise, one thing is certain: More Western companies will soon discover that Chinese pilferers have eroded their competitive advantage.

Watch, bag, DVD

"Intellectual property violations" in China have thus far been synonymous with the small mountains of fake DVDs or other counterfeit goods that are featured on the front page of state newspapers every month or so. Local governments remain reluctant to clamp down too hard on piracy because the industry is a big employer, yet they can't ignore allegations entirely. So periodically, as the complaints reach a crescendo, police create small mountains of these goods and set them on fire or run them over with a bulldozer.

China watchers have seen this cycle continue for years. Yet perhaps all the burning and bulldozing is finally beginning to have more than a cosmetic effect. Though fake products are still rife, most analysts agree that protections for intellectual property in China are improving. IP owners who now report infringement to Taobao, Youku or other established internet sites more often than not will see the offending material removed. And Chinese courts, especially in first-tier cities, are increasingly upholding intellectual property rights and awarding damages to Western brands that can provide strong evidence of infringement.

But while enforcement is improving, it is far from airtight, said Edward Chatterton, a partner in DLA Piper's Hong Kong intellectual property and technology team. Chinese courts tend to be more lax in China's lower-tier cities "particularly when you're suing a defendant on their home turf, particularly where the defendant is a big employer," he said.

And unfortunately for IP owners, infringements may merely be getting more sophisticated. These days, a growing number of Chinese intellectual property cases are related to know-how, said Yan Zhao, a partner in DLA Piper's Shanghai office. Companies are finding that peddling "Nibe" sportswear or "LB" handbags is no longer the get-rich-quick recipe it once was, and some have moved on to more valuable commercial secrets.

In the past, the frequency of intellectual property theft in China encouraged some companies to keep their secret sauce - their engineers and R&D for novel products - at home. But the increasing occurrence of cyber attacks shows that not even that strategy can safeguard intellectual property entirely.

The files are in the computer?

Public awareness of cyber attacks has risen in the last few years, in part due to the flood of media coverage that accompanied Google's announcement in 2010 that it had been the victim of an attack.

But most companies have remained silent on the subject. Businesses are understandably eager to avoid the negative press and investor reaction that accompany a cyber attack. Google said that nearly two dozen other companies were also hit in the attack it experienced in 2010, but only Adobe Systems, Juniper Networks and Rackspace came forward to admit they were victims.

This reticence will soon change. Last October, the US Securities & Exchange Commission issued new guidance requiring US-listed companies to disclose any cyber attacks that might affect the value of shareholder investments. Companies will have the first opportunity in their fourth-quarter filings, many of which will be released in February and March.

The SEC's guidance also required companies to disclose a "description of relevant insurance coverage," a move which was clearly intended to create a market for security, said Segal of the Council on Foreign Relations. "We've already begun to see an increase in people buying cyber security insurance," he said. "That was clearly one of the intentions, to create a secondary market, and also so the CTO or CSO can then turn to the CEO or CFO and say 'We have to buy these systems' - because before, of course, no one wanted to spend on those systems." The increasing use of security systems is likely to help stem the number of attacks and lead to quicker detection, lessening the amount of money lost overall.

Most of the attacks mentioned above are incidents of spearfishing, or what the protection industry has labeled "advanced persistent threat." Spearfishers typically use Facebook, LinkedIn and other public resources to identify employees to target within a company. Posing as a colleague or interested contact, hackers send an official-looking email with a PDF file or link that, when opened, downloads a Trojan horse program. Hackers can use these programs to explore the contents of the computer, log keystrokes and send regular reports to another machine. Software can help to limit these issues, but it is not yet clear that these systems will be able to shut out more sophisticated attacks, such as those that targeted Google.

Start simple

Most companies should begin by focusing not on these sophisticated attacks, but on the simple oversights that cause the majority of security breaches. Many companies are only just beginning to realize how pervasive these threats are and educate their employees about them. "We've learned over the years that on the shop floor … we want to make sure people have steel-toed shoes," said Kent Kedl, the North Asia managing director of consultancy Control Risks. "What people don't think about is having the same kind of concern for their cyber networks."

Simple, day-to-day precautions, like educating employees about spearfishing and running frequent virus scans, are often the most effective way to guard against security breaches, Kedl said. "We'd like to think it's all CSI Miami, but we're not nearly as good looking as those people on TV," he joked. "It's really basic blocking and tackling."

One of these solutions is limiting information available to people inside the company. Although sophisticated China-based hackers have grabbed the majority of headlines, security providers say most cases involve intellectual property theft by an employee. As a result, one of the easiest ways for companies to protect themselves is by limiting employee access to the design specifications, supplier lists and technical descriptions that are often kept on company networks.

Companies with very valuable intellectual property, such as pharmaceutical makers, sometimes adopt a tactic called "the shell game," in which each employee is given access to only a small part of the secret recipe. To recreate the intellectual property, many employees must work in concert, making their plans much easier to detect.

It's easy to assume that high-tech problems can only be solved with high-tech solutions. But the surest way to guard intellectual property seems to be by ushering in a new understanding of the value and risks of information. The first step to battling night dragons and shady rats is simple: the problems - and the solutions - begin and end with employees.